Report Incident
× Home Cybertech Africa 2023 2 DPO Rw-CSIRT Website About Rw-CSIRT Alerts Advisories About NCSA Documentation News & Events Topics Contact us Opportunities Privacy Policy

Rwanda Passes New Law Protecting Personal Data

KIGALI, RWANDA - Rwanda’s law on the protection of personal data and privacy was officially gazetted on 15th October 2021. One of the tenets of this law is the clear and unambiguous consent of an individual to the collection, storage, and processing of personal data, which is a fundamental right.

The law now brings Rwanda in line with international data protection standards, vital for the modern digital economy facilitating services such as e-commerce, international financial transactions, and various online services.
 
The primary goals of this law are to:
  • Empower citizens with agency over their personal data
  • Enable trusted and secure data flows, domestically and internationally
  • Provide regulatory certainty for existing businesses and prospective investors, and an enabling environment for SME growth
  • Accelerate Rwanda’s ambitions towards a technology- enabled and data-driven economy

 

“The accelerated digital transformation that we are witnessing in both the public and private sectors requires a progressive and inclusive approach to data protection. This law provides the necessary foundation to transform Rwanda into a data-empowered society, by ensuring all critical stakeholders, starting with government institutions, are attaining the gold standard in personal data protection and privacy.” said Hon. Paula Ingabire, Minister of ICT & Innovation, Rwanda
With the advancement of technological innovation and cross-border digital trade, adequate personal data protection legislation is essential to fully harness the benefits of the global digital economy while safeguarding the privacy of individuals.
Non-compliance with data protection legislation, in Rwanda and internationally, could impede Rwanda- based organizations from participating in cross-border business as well as detract foreign direct investment from companies looking to take advantage of Rwanda’s enabling business environment and rising reputation as a proof-of-concept hub in the ICT sector.
This law comes into enactment after a comprehensive, multi-stakeholder consultative process that started in January 2020 initiated by the Rwanda Information Society Authority and supported by the Centre for the Fourth Industrial Revolution Rwanda (C4IR Rwanda).
“This law is an important step for Rwanda to compete in the global digital economy. Having strong data governance frameworks in place that promote innovation and enable cross-border data flows are essential to maximize the socio-economic benefits of emerging technologies, such as artificial intelligence, that heavily rely on massive amounts of data.” said Crystal Rugege, Managing Director of C4IR Rwanda, a Partner of the World Economic Forum Network for Global Technology Governance.
The passing of this law begins a 2-year journey to compliance, allowing individuals and institutions to put in place the necessary processes to ensure personal data is handled in a trusted and secure manner. In line with global best practices, the law designates the National Cyber Security Authority (NCSA) as the supervisory authority charged with enforcement of this law. NCSA will work with all concerned stakeholders to ensure a smooth implementation of this law over the next 24 months.
 
Who does this law apply to?
  1. Individuals and institutions established or residing in Rwanda, that process the personal data of individuals in Rwanda (not just citizens).
  2. Individuals and institutions established or residing outside of Rwanda, that process the personal data of individuals in Rwanda.
 
Overview of the 24-month compliance period:
  • Awareness campaign on rights to privacy & protection of personal data
  • Co-designing implementation frameworks in partnership with key stakeholders
  • Operationalizing the law in all government institutions
  • Establishment of support platforms to help organizations of all sizes to:
    • Become data secure
    • Institute internal frameworks & policies to protect their data uphold rights
  • Establishing adequacy frameworks for cross-border compliance
  • Training across both public & private sector
 
With the transitional period ending on 15th October 2023, the NCSA will share the implementation calendar over the next coming weeks with clear milestones on what organizations should have in place to ensure they are compliant within the next two years.
 
END
 
For any queries or interview requests, please contact:
Ghislaine Kayigi
Chief Cybersecurity Standards Officer
National Cyber Security Authority
dpp@ncsa.gov.rw

 

Link to gazetted law:
Official Gazette No Special of 15.10.2021_Personal Data and Privacy

 

21 October 2021

© 2024 National Cyber Security Authority